#!

###########################
# VPN SSL Settings Web Portal
###########################
config vpn ssl web portal
edit mydomain1-web-access.local
set tunnel-mode disable 
set ipv6-tunnel-mode disable 
set web-mode enable 
set host-check none 
set limit-user-logins enable 
set mac-addr-check disable 
set os-check disable 
set virtual-desktop disable 
set display-bookmark enable 
set user-bookmark enable 
#config bookmark-group
#edit "RDP-Kategorie"
#config bookmarks
#edit "RDP"
#set apptype rdp
#set description "RDP-Connection"
#set host 0.0.0.0
#set server-layout de-de-qwertz 
#set security rdp
#unset logon-user
#unset logon-user
#end
#end
#config bookmark-group
#edit "Intranet-Kategorie"
#config bookmarks
#edit "Intranet"
#set apptype web
#set description "Intranet Site"
#set url "www.mydomain1.intra"
#set sso disable
#end
#end
set display-connection-tools enable 
set display-history enable 
set display-status enable 
set heading "Welcome to mydomain1.ch" 
#set redir-url www.mydomain1.ch
set theme blue 
set custom-lang en 
end
###########################
# VPN SSL Settings Tunnel Mode
###########################
config vpn ssl web portal
edit mydomain1-tunnel-access.local
set tunnel-mode  enable 
set ipv6-tunnel-mode disable 
set web-mode  disable 
set host-check none 
set limit-user-logins enable 
set mac-addr-check disable 
set os-check disable 
set virtual-desktop disable 
set ip-mode range 
set auto-connect disable 
set keep-alive enable 
set save-password enable 
set ip-pools net-mydomain1-ip-pool-ssl-vpn-198.18.1.0-25
set split-tunneling enable 
set split-tunneling-routing-address net-mydomain1-lan-198.18.0.0-24
set dns-server1 192.168.1.1
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
end
###########################
# VPN SSL Settings Dummy
###########################
config vpn ssl web portal
edit mydomain1-dummy-access.local
set tunnel-mode disable
set ipv6-tunnel-mode disable 
set web-mode enable
set host-check none 
set limit-user-logins enable 
set mac-addr-check disable 
set os-check disable 
set virtual-desktop disable 
set display-bookmark disable
set user-bookmark disable
set display-connection-tools disable
set display-history disable
set display-status disable
set heading "Welcome to mydomain1.ch" 
unset redir-url
set theme blue 
set custom-lang en 
end
###########################
# VPN SSL Settings Realm
###########################
#
# Be careful and verify for new version HTML code
#
config vpn ssl web realm
edit "mydomain1"
set max-concurrent-user 100
set login-page "<!DOCTYPE html>
<html lang=\"en\" class=\"main-app\">
  <head>
    <meta charset=\"UTF-8\">
    <meta http-equiv=\"X-UA-Compatible\" content=\"IE=8; IE=EDGE\">
    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">
    <link href=\"/css/main-blue.css\" rel=\"stylesheet\" type=\"text/css\">
    <title>
      Login
    </title>
  </head>
  <body>
    <div class=\"view-container\">
      <form class=\"prompt\" action=\"%%SSL_ACT%%\" method=\"%%SSL_METHOD%%\" name=\"f\" autocomplete=\"off\">
        <div class=\"content with-header\">
          <div class=\"header\">
            <div>
              WARNING!
              <br>
              <br>
              You must have prior authorization to login to this system. All connections are logged and monitored. By login to this system you fully consent to all monitoring. Unauthorized login or use will be prosecuted to the full extent of the law. You have been warned!
            </div>
          </div>
          <div class=\"sub-content\">
            <div class=\"wide-inputs\">
              %%SSL_LOGIN%%
            </div>
            <div class=\"button-actions wide\">
              <button class=\"primary\" type=\"button\" name=\"login_button\" id=\"login_button\" onClick=\"try_login()\">
                Login
              </button>
            </div>
          </div>
        </div>
      </form>
    </div>
  </body>
  %%SSL_HIDDEN%%
</html>"
unset virtual-host
end
###########################
# VPN SSL Settings
###########################
config vpn ssl settings
set reqclientcert disable 
set sslv3 enable 
set tlsv1-0 enable 
set tlsv1-1 enable 
set tlsv1-2 enable 
#
# To increase security disable SSLv3, TLS 1.0
# as TLS 1.1 and "set algorithm" to "high".
#
#set tlsv1-0 disable
#set tlsv1-1 disable 
#set sslv3 disable
#
# To exclude some specific "ciphers" use the command
# "banned-cipher" even with "algorithm high" all none
# secure "ciphers" are disabled.
#
unset banned-cipher
set ssl-big-buffer disable 
set ssl-insert-empty-fragment enable 
set https-redirect disable
set ssl-client-renegotiation disable 
set force-two-factor-auth disable 
set servercert Fortinet_Factory 
set algorithm high
set idle-timeout 1800
set auth-timeout 28800
set tunnel-ip-pools "net-mydomain1-ip-pool-ssl-vpn-198.18.1.0-25"
unset tunnel-ipv6-pools
set dns-suffix mydomain1.local
set dns-server1 198.18.0.91
#set dns-server2  198.18.0.1
#set wins-server1 0.0.0.0
#set wins-server2 0.0.0.0
unset ipv6-dns-server1
unset ipv6-dns-server2
unset ipv6-wins-server1 
unset ipv6-wins-server2
set route-source-interface disable 
set url-obscuration disable 
set http-compression disable 
set http-only-cookie enable 
set http-request-header-timeout 20
set http-request-body-timeout 30
set port 10443
set port-precedence enable 
set auto-tunnel-static-route disable 
set header-x-forwarded-for add
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
set source-address6 "all"
set default-portal "mydomain1-dummy-access.local"
set dtls-tunnel enable 
set check-referer disable 
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
unset source-address6
set source-address6-negate disable 
# set users local
set groups "gr-ssl-fc-tunne-vpn-mydomain1.local"
set portal "mydomain1-tunnel-access.local"
unset realm
set client-cert disable 
set cipher high 
set auth local
next
edit 2
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
unset source-address6
set source-address6-negate disable 
# set users local
set groups "gr-ssl-fc-web-vpn-mydomain1.local"
set portal "mydomain1-web-access.local"
set realm mydomain1
set client-cert disable 
set cipher high 
set auth local 
next
end
end
###########################
# IPSec Phase 1 FortiClient Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-fc
set comments "IPSec Phase1 FortiClient 5.4 mydomain1-sg0e0"
set type dynamic 
set interface  wan1 
set ip-version  4
set ike-version 1 
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk 
set mode aggressive 
set peertype any 
set mode-cfg  enable 
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#config ipv4-exclude-range
unset ipv6-dns-server1
unset ipv6-dns-server2 
unset ipv6-dns-server3
#config ipv6-exclude-range
set proposal aes256-md5 aes256-sha1 
set add-route enable 
set exchange-interface-ip disable
set localid  ipsec-fc 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd on-idle
set forticlient-enforcement disable 
set npu-offload enable 
set dhgrp 2 
set suite-b disable 
set wizard-type custom 
set xauthtype auto
set reauth disable 
set authusrgrp gr-ipsec-fc-vpn-mydomain1.local 
set idle-timeout disable
set ha-sync-esp-seqno enable 
set auto-discovery-sender disable 
set auto-discovery-receiver disable 
set auto-discovery-forwarder disable 
set nattraversal enable 
set default-gw 0.0.0.0
set default-gw-priority 0
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set assign-ip-from range 
set ipv4-start-ip 198.18.1.129
set ipv4-end-ip 198.18.1.254
set ipv4-netmask  255.255.255.128
set dns-mode manual 
set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 
#set split-include-service 
unset ipv6-start-ip
unset ipv6-end-ip
unset ipv6-prefix
unset ipv6-split-include
set unity-support enable 
unset domain
unset banner
set include-local-lan disable 
set save-password disable 
set client-auto-negotiate enable 
set client-keep-alive enable
unset backup-gateway
set psksecret  "only4mydomain1!"
set keepalive 10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 FortiClient Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-fc
set comments "IPSec Phase2 FortiClient 5.4 mydomain1-sg0e0"
set phase1name ipsec-fc 
set proposal aes256-md5 aes256-sha1 
set pfs enable 
set dhgrp 2 
set replay enable 
set keepalive enable 
set add-route phase1 
set auto-discovery-sender phase1 
set auto-discovery-forwarder phase1 
set keylife-type seconds 
set single-source disable 
set route-overlap use-new 
set encapsulation tunnel-mode 
set protocol 0
set src-addr-type subnet 
set src-port 0
set dst-addr-type subnet 
set dst-port 0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec Phase 1 IOS Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-ios
set comments "IPSec Phase1 IOS mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ip-version 4 
set ike-version 1 
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk 
set mode aggressive 
set peertype any 
set mode-cfg enable
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#config ipv4-exclude-range
unset ipv6-dns-server1
unset ipv6-dns-server2 
unset ipv6-dns-server3
#config ipv6-exclude-range
set proposal aes256-md5 aes256-sha1 
set add-route enable 
set exchange-interface-ip disable 
set localid ipsec-ios 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd on-idle 
set forticlient-enforcement disable 
set npu-offload enable
set dhgrp 2 
set suite-b disable 
set wizard-type custom 
set xauthtype auto 
set reauth disable 
set authusrgrp gr-ipsec-ios-vpn-mydomain1.local 
set idle-timeout disable 
set ha-sync-esp-seqno  enable 
set auto-discovery-sender disable 
set auto-discovery-receiver disable 
set auto-discovery-forwarder disable 
set nattraversal enable 
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set assign-ip-from range 
set ipv4-start-ip 198.18.4.1
set ipv4-end-ip 198.18.4.126
set ipv4-netmask 255.255.255.128
set dns-mode manual 
set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 
unset split-include-service
unset ipv6-start-ip 
unset ipv6-end-ip 
unset ipv6-prefix
unset ipv6-split-include
set unity-support enable 
unset domain
unset banner 
set include-local-lan disable 
set save-password disable 
set client-auto-negotiate enable 
set client-keep-alive enable
unset backup-gateway
set psksecret "only4mydomain1!"
set keepalive  10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 IOS Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-ios
set comments "IPSec Phase2 IOS mydomain1-sg0e0"
set phase1name ipsec-ios
set proposal aes256-md5 aes256-sha1
set pfs disable 
set replay enable
set keepalive enable
set add-route phase1
set auto-discovery-sender phase1 
set auto-discovery-forwarder phase1 
set keylife-type seconds
set single-source disable
set route-overlap use-new 
set encapsulation tunnel-mode 
set protocol  0
set src-addr-type subnet 
set src-port 0
set dst-addr-type subnet 
set dst-port 0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec Phase 1 Cisco Native Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-cisco
set comments "IPSec Phase1 Cisco Native mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ip-version 4 
set ike-version 1 
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk 
set mode main 
set peertype any 
set mode-cfg enable
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#config ipv4-exclude-range
unset ipv6-dns-server1
unset ipv6-dns-server2 
unset ipv6-dns-server3
#config ipv6-exclude-range
set proposal aes256-md5 aes256-sha1 
set add-route enable 
set exchange-interface-ip disable 
set localid ipsec-cisco 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd on-idle 
set forticlient-enforcement disable 
set npu-offload enable
set dhgrp 2 
set suite-b disable 
set wizard-type custom 
set xauthtype auto 
set reauth disable 
set authusrgrp gr-ipsec-cisco-vpn-mydomain1.local 
set idle-timeout disable 
set ha-sync-esp-seqno enable 
set auto-discovery-sender disable 
set auto-discovery-receiver disable 
set auto-discovery-forwarder disable 
set nattraversal enable 
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set assign-ip-from range 
set ipv4-start-ip 198.18.5.1
set ipv4-end-ip 198.18.5.126
set ipv4-netmask 255.255.255.128
set dns-mode manual 
set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 
unset split-include-service
unset ipv6-start-ip 
unset ipv6-end-ip 
unset ipv6-prefix
unset ipv6-split-include
set unity-support enable 
unset domain
unset banner 
set include-local-lan disable 
set save-password disable 
set client-auto-negotiate enable 
set client-keep-alive enable
unset backup-gateway
set psksecret "only4mydomain1!"
set keepalive  10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 Cisco Native Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-cisco
set comments "IPSec Phase2 Cisco Native mydomain1-sg0e0"
set phase1name ipsec-cisco
set proposal aes256-md5 aes256-sha1
set pfs disable 
set replay enable
set keepalive enable
set add-route phase1
set auto-discovery-sender phase1 
set auto-discovery-forwarder phase1 
set keylife-type seconds
set single-source disable
set route-overlap use-new 
set encapsulation tunnel-mode 
set protocol  0
set src-addr-type subnet 
set src-port 0
set dst-addr-type subnet 
set dst-port 0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec Phase 1 L2TP Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit "intf-l2tp"
set comments "IPSec Intf Phase1 L2TP mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ip-version 4 
set ike-version 1 
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk 
set mode main 
set peertype any 
set mode-cfg disable 
set proposal aes256-md5 3des-sha1 aes192-sha1 
set add-route enable 
set exchange-interface-ip disable 
unset localid 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd on-demand 
set forticlient-enforcement disable 
set npu-offload enable 
set dhgrp 2 
set suite-b disable 
set wizard-type custom 
set xauthtype disable 
set idle-timeout disable 
set ha-sync-esp-seqno enable 
set auto-discovery-sender disable 
set auto-discovery-receiver disable 
set auto-discovery-forwarder disable 
set nattraversal enable 
set default-gw 0.0.0.0
set default-gw-priority 0
set psksecret "only4mydomain1!"
set keepalive  10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
###########################
# IPSec Phase 2 L2TP Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit "intf-l2tp"
set comments "IPSec Intf Phase2 L2TP mydomain1-sg0e0"
set phase1name "intf-l2tp"
set proposal aes256-md5 3des-sha1 aes192-sha1 
set pfs disable 
set replay enable 
set keepalive disable 
set add-route phase1 
set auto-discovery-sender phase1 
set auto-discovery-forwarder phase1 
set keylife-type seconds 
set encapsulation transport-mode 
set l2tp enable 
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable 
set keylifeseconds 3600
next
end
###########################
# IPSec L2TP IP/User Settings (Interface Based)
###########################
config vpn l2tp
set sip 198.18.4.129
set eip 198.18.4.254
set status enable
set usrgrp "gr-ipsec-l2tp-vpn-mydomain1.local"
end
###########################
# IPSec L2TP Service Settings (Interface Based)
###########################
config firewall service custom
edit "L2TP"
set tcp-portrange 1701
set udp-portrange 1701
next
end


